Poweliks: a file-less malware Hides in Windows Registry

/in /by

The SonicWall Threats Research team observed reports of a file-less Trojan named GAV: Poweliks.CCL actively spreading in the wild. The malware tries to reside in the registry only and hides as a subkey in the computer’s registry rather than as an executable file. This mechanism could be used by malicious spam emails and exploit kits such as Microsoft Word document vulnerability described in CVE-2012-0158 to targeting computer users.

Once the target system is compromised, the attacker may use it to establish a botnet.

Infection Cycle:

Md5: 0181850239cd26b8fb8b72afb0e95eac

The Trojan adds the following key to the Windows registry to ensure persistence upon reboot:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun(Default)

The character used for the key’s name is not an ASCII character. The purpose is to hide the entry from registry that because Regedit cannot read the non-ASCII character. Here is a screenshot of Registry tool on following:

The malware tries to use Encoded Java Script on the Auto-startup registry key, Here is an example of created Registry Key Value:

Poweliks checks if Windows PowerShell is installed on the affected system, if not, it downloads and installs it to the infected system from following links:

Here is how malware download and run the PowerShell:

The malware executes the encoded script via PowerShell and dropping a DLL which is responsible for downloading other malicious files onto the infected system. This technique is done as part of its evasion mechanism since it will not be directly executed by windows or any application.

Here is the Script Sample:

Here is the Base64-encoded PowerShell script which executes the shellcodes:

Also here is a DLL dropper sample:

After you restart the system this .DLL file is then injected into the DLLHOST.EXE process. The injected code is capable of downloading other malware.

Malware Traffic

Poweliks has communication over port 80.Requests to statically defined hosts and IPs are made on a regular basis, These requests are as below:

  • 178.89.159.34
  • faebd7.com

The malware uses dynamically generated codes in its own traffic. Here are some details about these codes:

http://178.89.159.34/q/type=%s&version=1.0&aid=%s&builddate=%s&id=%s&os=%s_%s

  • Code 1: type=status: start, install, exist, cmd or low
  • Code 2: version=1.0
  • Code 3: aid=Id
  • Code 4: builddate=%s
  • Code 5: id=UID
  • Code 6: os=OS version_OS architecture

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Poweliks.ACL
  • GAV: Poweliks.BCL
  • GAV: Poweliks.CCL
  • GAV: Poweliks.CCM

Spam campaign roundup: The Thanksgiving Day Edition (Nov 26, 2014)

/in /by

Thanksgiving day is once again upon us. This also marks the biggest shopping weekend of the year. With consumers gearing up for holiday sale shopping and retailers hoping for an up-tick in business, cybercriminals are also increasing their efforts as scamming, spamming and phishing have become their holiday tradition.

Over the last week, the Dell SonicWALL threats research team has been tracking down all Thanksgiving Day related spam emails.

As Black Friday weekend approaches, we are receiving an increasing amount of this holiday related spam emails. Consumers are spending more time shopping online so cybercriminals have become more aggressive and creative with their tactics. The spam emails have a common theme of trying to lure consumers to click on the links and provide their personal information in exchange for early access to dooorbuster deals or a chance to win cash and gift cards. The following are some of the common email subjects:

  • BLACK FRIDAY BLOWOUT DEALS: Save up to 92% off!
  • Get The Cash You Need This Thanksgiving!
  • Festive Gifts for you – 60- 90% 0ff today.Happy Thanksgiving
  • Before Thanksgiving Day – Win the lotto [Tousername]
  • Complete our Black Friday Survey — for Rewards !
  • Have a wonderful Thanksgiving with these rewards
  • Amazing Thanksgiving & Black Friday Sale,87% 0ff,do not Miss
  • Your Amazon Thanksgiving Gift #9178-942
  • Unlock Black Friday Deals Now
  • RE: Purchasing your home for all cash before Thanksgiving

Most of these emails are purporting to come from popular department stores promising gift cards, that when clicked would take you to a URL different from the real merchant’s website. The consumer will then be asked to enter their personal information and to participate in a number of “offers” often costing money in fees or subscriptions without the guarantee of ever receiving the products and services or the free gift card at the end of the process.

Email redirecting to hongsflirs.com

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

Dell SonicWALL Gateway Antivirus and Email Security service constantly monitor and provide protection against such malicious spam and phishing threats.

Mitigating DoubleDirect Attacks (Nov 26, 2014)

/in /by

The man-in-the-middle (MitM) attack intercepts a communication between two systems. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the victim and the attacker and the other between the attacker and the server.

A man-in-the-middle technique called DoubleDirect surfaced recently. The technique utilized ICMP redirect packets to create new connections between the victim and the attacker. Since most of GNU/Linux and Windows desktop operating system do not accept ICMP redirect packets, these systems are not affected. However, Android, iOS and OS X accepts ICMP redirect packets hence they are prone to this attack.

The technique allows the attacker to perform eavesdropping if the original TCP connection is unencrypted. For an encrypted TCP connection, such as HTTPS, the eavesdropping is more difficult (unless the CA’s private key were compromised by the attacker.)

To prevent DoubleDirect attacks, Dell SonicWALL suggests customers to enable prevention for the following signature:

  • IPS sid:5198 “ICMP — Redirect (5)”

Usbstealer: USB info-Stealer targeting various organizations systems

/in /by

The Dell SonicWall Threats Research team observed reports of a USB info Stealer Trojan named GAV: Usbstealer.AD and Usbstealer.AP targeting various organizations systems. Unlike most malware which make use of vulnerable Network Services to spread to other machines in the network, these malware are specifically designed to infect USB removable devices. USB Stealer targeting isolated computers from the Internet. Once the target system is compromised (infected by USB device connected to the system A), the malware tries to grab sensitive data files from the system B (isolated system) and transfer it to USB, after that when infected USB Connected to System A Again it will copy all files to system A.

Infection Cycle:

Md5: d7386708e70b5b5c015dbad1ad43a9a6, 8cb08140ddb00ac373d29d37657a03cc

The malware create a service such as USB Disk Security or USBGuard in the system also create an auto startup key in registry such as following:

  • HKEY_CURRENT_USER SoftwareMicrosoftWindowsCurrentVersionRun
  • File path = C:WINDOWSsystem32USBGuard.exe service

Here is an example of created service in registry:

The malware adds the following files to the system:

  • %userprofile%Music[Computer Name ][Computer Name ].lst
  • %userprofile%Musicend
  • [USB Drive]:System Volume Informationdesktop.in
  • [USB Drive]:System Volume InformationS-1-5-21-1315235578-283289242[Computer Name ][Random Number ]
  • [USB Drive]:System Volume InformationS-1-5-21-1315235578-283289242[Computer Name ] [Computer Name ].lst

In first run malware tries to retrieve list of all files and folders and drops this file [Computer Name].lst, into Music folder.

Here is a sample of the file:

After malware retrieve all files on the system it will create a null file called End on music folder, then it will be waiting to infected USB again then transfer all grabbed files into the System Volume Information folder.

The malware looking for all files with following extensions:

  • .pkr
  • .skr
  • .key

The malware searches for these files except in folders contain the following antivirus names such as:

After that it makes a copy of those files into Music folder such as following:

Once a new USB drive is inserted into the system malware drops the USBGuard.exe onto the drive and also drops Autorun.inf file into root of that USB drive such as following:

Also malware transfer all files into the infected USB, here is an example on following:

When target user double clicking on the USB drive and right click option Explore executes USBGuard.exe.

The attack only works if Autorun is enabled on the targeted computer. The feature was deactivated by Microsoft in 2009 with the release of a Windows KB971029 update.

The malware also marks the USB drive as having been used on a machine with an Internet connection when drops desktop.in into System Volume Information folder.

Once the files are transferred to System A, the attackers need to use another malware to copy the data to their own servers because the malware doesn’t have such network capabilities.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Usbstealer.AD and Usbstealer.AP

Microsoft Elevation of Privilege Vulnerability MS14-068 (November 18, 2014)

/in /by

A new critical Elevation of Privilege has been discovered in Microsoft Windows Kerberos KDC service in multiple Microsoft Operating System. By exploiting this vulnerability, an attacker can elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. Microsoft has released an advisory about this vulnerability.

An attacker must have valid domain credentials to exploit this vulnerability. This mitigates the severity of the vulnerability. However, Microsoft has not identified any workarounds for this vulnerability.

Dell SonicWALL Threat Research Team has researched this vulnerability and released the following IPS signature to protect their customers:

  • IPS: 6052 Microsoft Windows Kerberos Elevation of Privilege (MS14-068)

Magnitude Exploit Kit using HTM5 canvas element to hide Iframe (Nov 17, 2014)

/in /by

The Dell SonicWALL Threats Research team analyzed a drive by attack involving the Magnitude exploit kit which leads to the download of additional malware on the target system upon successful exploit run. The malware in this case is Trojan Downloader.

Magnitude Exploit kit is an old kit present in the wild from more than a year. But recently we have observed an update in the way it redirects the victims from compromised websites to its landing page. In this update, this kit redirects the users using iframe, which is generated from a specially crafted image file, in order to evade detection from AV.

This kit uses HTML5 canvas element to read the image file byte by byte and extracts the iframe, as shown below

Fig-1 : Javascript code to extract data from image file

Below is the screenshot of crafted image file and its decode data.

Image 1 Image 2
Fig-2 : Encoded image file Fig-3 : Decoded Iframes from image file

On successful decryption, kit redirects users to its landing page. Landing Page contains HTML code to run Java applet, Flash and an iframe, which are exploits. Unlike other kits, this kits landing page doesn’t check for the browser plugins or software installed on the system.

Fig-4 : Magnitude Exploit kit’s landing page

Currently we observed that it is serving CVE-2013-2465 (Java vulnerability) & CVE-2013-2551 (IE10 vulnerability). On successful exploitation, these exploits download further malicious binaries.

Having up to date software will help in mitigating this Exploit Kit.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • Upatre.AA_14 (Trojan)
  • Injector.BLVV (Trojan)
  • Simda.B_61 (Trojan)

Microsoft Security Bulletin Coverage (November 12, 2014)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of November, 2014. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS14-064 Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)

  • CVE-2014-6332 Windows OLE Automation Array Remote Code Execution Vulnerability
    SPY: 2230 “Malformed-File html.MP.53”
  • CVE-2014-6352 Windows OLE Remote Code Execution Vulnerability
    SPY: 1578 “Malformed-File xml.TL.37”

MS14-065 Cumulative Security Update for Internet Explorer (3003057)

  • CVE-2014-4143 Internet Explorer Memory Corruption Vulnerability
    SPY: 2228 “Malformed-File html.MP.50”
  • CVE-2014-6323 Internet Explorer Clipboard Information Disclosure Vulnerability
    SPY: 2229 “Malformed-File html.MP.51”
  • CVE-2014-6337 Internet Explorer Memory Corruption Vulnerability
    IPS: 5931 “Microsoft Internet Explorer Use After Free”
  • CVE-2014-6339 Internet Explorer ASLR Bypass Vulnerability
    IPS: 5943 “Internet Explorer Out of Bound access(MS14-065)”
  • CVE-2014-6340 Internet Explorer Cross-domain Information Disclosure Vulnerability
    IPS: 5955 “Internet Explorer Information Disclosure (MS14-065)”
  • CVE-2014-6341 Internet Explorer Memory Corruption Vulnerability
    IPS: 5957 “Microsoft Internet Explorer Use After Free(MS14-065) 1”
  • CVE-2014-6342 Internet Explorer Memory Corruption Vulnerability
    IPS: 5959 “Internet Explorer Out of Bound access(MS14-065) 2”
  • CVE-2014-6343 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-6344 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-6345 Internet Explorer Cross-domain Information Disclosure Vulnerability
    IPS: 5962 “Internet Explorer Cross-domain Information Disclosure (MS14-065) 2”
  • CVE-2014-6346 Internet Explorer Cross-domain Information Disclosure Vulnerability
    IPS: 5958 “Internet Explorer Cross-domain Information Disclosure (MS14-065) 1”
  • CVE-2014-6347 Internet Explorer Memory Corruption Vulnerability
    IPS: 5915 “Internet Explorer Memory Corruption Vulnerability (MS14-065) 1”
  • CVE-2014-6348 Internet Explorer Memory Corruption Vulnerability
    IPS: 5918 “Internet Explorer Memory Corruption Vulnerability (MS14-065) 2”
  • CVE-2014-6349 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-6350 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-6351 Internet Explorer Memory Corruption Vulnerability
    IPS: 5924 “Internet Explorer Memory Corruption Vulnerability (MS14-065) 3”
  • CVE-2014-6353 Internet Explorer Memory Corruption Vulnerability
    IPS: 5934 “Internet Explorer Memory Corruption Vulnerability (MS14-065) 4”

MS14-066 Vulnerability in Schannel Could Allow Remote Code Execution (2992611)

  • CVE-2014-6321
    IPS: 5963 “Microsoft Schannel Remote Code Execution (MS14-066)”

MS14-067 Vulnerability in XML Core Services Could Allow Remote Code Execution (2993958)

  • CVE-2014-4118 MSXML Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS14-069 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710)

  • CVE-2014-6333 Microsoft Office Double Delete Remote Code Execution Vulnerability
    IPS: 5954 “Microsoft Office Remote Code Execution (MS14-069) 1”
  • CVE-2014-6334 Microsoft Office Bad Index Remote Code Execution Vulnerability
    IPS: 5956 “Microsoft Office Remote Code Execution (MS14-069) 2”
  • CVE-2014-6335 Microsoft Office Invalid Pointer Remote Code Execution Vulnerability
    IPS: 1578 “Microsoft Word Invalid Pointer Remote Code Execution (MS14-069)”

MS14-070 Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935)

  • CVE-2014-4076 TCP/IP Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS14-071 Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607)

  • CVE-2014-6322 Windows Audio Service Vulnerability
    There are no known exploits in the wild.

MS14-072 Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210)

  • CVE-2014-4149 TypeFilterLevel Vulnerability
    There are no known exploits in the wild.

MS14-073 Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431)

  • CVE-2014-4116 SharePoint Elevation of Privilege Vulnerability
    IPS: 6753 “Cross-Site Scripting (XSS) Attack 8”

MS14-074 Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass (3003743)

  • CVE-2014-6318 Remote Desktop Protocol (RDP) Failure to Audit Vulnerability
    There are no known exploits in the wild.

MS14-076 Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998)

  • CVE-2014-4078 IIS Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

MS14-077 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (3003381)

  • CVE-2014-6331 Active Directory Federation Services Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS14-078 Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (2992719)

  • CVE-2014-4077 Microsoft IME (Japanese) Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS14-079 Vulnerability in Kernel Mode Driver Could Allow Denial of Service (3002885)

  • CVE-2014-6317 Denial of Service in Windows Kernel Mode Driver Vulnerability
    There are no known exploits in the wild.

Holiday Shopping Season Phishing Emails

/in /by

The Holiday Shopping Season is fast approaching and this means new phishing email campaigns. During the excitement of Holiday shopping, users can often be in a rush to get shopping done, and make hasty decisions when confronted with unexpected or unsolicited emails. Don’t let haste lead to a compromised system; prepare your users. Now is a good time for Security Administrators to educate their users about how to identify phishing emails, and to be sure user’s systems are patched.

The graph below shows the seasonal increase in online shopping activity seen in Dell SonicWALL telemetry data for DNS queries to Amazon.com during the final quarter of 2013. This pattern illustrates the increase in online shopping by Dell SonicWALL customers. During this quarter the risk for phishing email campaigns is also increased. In the graph you can see the weekly variation in DNS queries to Amazon.com, as well as the increase leading-up to Christmas Day. The traffic appears to spike in the first week of December. We expect a similar pattern this year as well.

Amazon.com DNS Queries Hits for Last 3 Months of 2013

An important skill to stay safe online is how to identify fraudulent domain names used in phishing emails. Scammers will usually try to deceive end users by disguising the true second-level domain, by prepending legitimate, familiar names to the beginning of the hostname. Appearing to come from a legitimate source, the phishing email will contain links to sites that host exploit code with the hope that the user have unpatched systems and vulnerable web browsers, and the goal of compromising the user’s system.

Phishing campaigns during past Holiday seasons include fraudulent emails appearing to be from sites like Amazon.com, U.S.P.S., FedEx, and other companies involved in holiday commerce. A typical phishing email will be from a domain like customer_service@amazon.com–0123-xyz.malicious-site.com, and contain a message about a free gift card, or an order confirmation request, or shipment tracking links. These links go to the attacker’s domain, malicious-site.com, and not amazon.com.

Best practices for avoiding phishing scams are:

    Educate end users on how to hover over links in emails to identify the real domain name in the email from address, as well as in any links in the email body.
    For users that are unable to identify domain names in links and email addresses, advise them never to click on a link sent in an email, but rather to open the site in a browser by typing manually in the address bar to ensure that they are going to the legitimate site.
    Always report suspicious emails to your Security Administrator, or directly to the site being spoofed. If in doubt, ask before clicking.
    Stay up-to-date with software patches for Operating Systems, web browsers and all other software on the computer.
    Install and keep up-to-date host-based, and network-based Gateway Anti-Virus, and Intrusion Detection systems.

The first malicious Xposed Framework Module ( November 7, 2014 )

/in /by

One of the key strengths of the Android ecosystem is the extensive degree of customization that is possible. Android by itself provides an immense array of options to customize the device to our liking but Rooting a device can add almost limitless possibilities to tailor the device as per our needs and style. There is a long list of custom Android variations from the one that comes by default on the device, these variations are referred to as custom ROMs. The custom ROMs available are each distinct from one another with each one having their own style and features.

Adding a custom ROM over the stock ROM on a device is one way of giving your old phone a complete makeover but the process can be tedious. There are a lot of parameters to consider when changing the stock ROM of a device, a single mis-step can render the phone useless. This is often referred to as bricking the phone. Due to the risks involved in this process, recently people have steered towards an alternate way to unlock the customization potential of their device and keeping the risks low at the same time. Enter The Xposed Framework.

There is a process responsible for running all Android apps called Zygote, this is launched by /system/bin/app_process executable. Xposed framework replaces this executable with a modified version that loads an additional Jar file called XposedBridge.jar. This file acts as a bridge into Zygote allowing us to run custom code as if it was originally part of Zygote. The custom code introduced into the system gives us the abilitiy to customize system features as if we are running a custom ROM but keeping the risk of bricking the device to a minimum. Xposed Framework does require the phone to be rooted as it needs root priviliges to add custom code into the system.

Xposed has a number of modules that add additional features to your device, some popular modules include:

  • BootManager – Choose what apps you want to prevent running upon system startup
  • Tinted Status Bar – Change status bar color based on what app is running
  • Youtube AdAway – Disable ads from youtube app

The process of enabling these modules on the device is as follows:

  • Download the required modules directly or via Xposed Framework
  • Install and activate the module in Xposed
  • Reboot the device for the change to take effect

Giving Root privileges to Xposed and allowing it to add code to the system does pose a security risk, however a module will not be active unless the users enables it in Xposed and reboots the phone. This gives some degree of user intervention and prevents anonymous modules to automatically start using Xposed without seeking user permission. However if the user enables a module in Xposed then it has free reign over the system as it can hook onto other apps and extract sensitive information silently without the victim’s knowledge. Dell SonicWALL Threats Research team received one such sample that is actually the first malicious Xposed module.

The following screen is visible once this module has been installed and activated on the device:

We could not find any sort of advertisements for this app as to how it tries to lure the victims into installing it. Judging by the options presented it looks like this module can hide Root apps, hide Xposed Framework and hide itself. There are legitimate apps available like “Hide My Root” and even an Xposed module called “RootCloak” that hide the root apps. The malicious module thus tries to blend-in with such similar apps. During installation, it asks for a number of sensitive permissions which raises suspision about its possible true motive, the permissions requested are as follows:

  • read_phone_state
    		•
  • modify_phone_state
    		•
  • call_phone
    		•
  • process_outgoing_calls
    		•
  • record_audio
    		•
  • camera
    		•
  • modify_audio_settings
    		•
  • read_contacts
    		•
  • write_contacts
    		•
  • receive_boot_completed
    		•
  • send_sms
    		•
  • receive_sms
    		•
  • read_sms
    		•
  • write_sms
    		•
  • internet
    		•
  • access_coarse_location
    		•
  • access_fine_location
    		•
  • access_location_extra_commands
    		•
  • access_mock_location
    		•
  • update_device_stats
    		•
  • wake_lock
    		•
  • device_power
    		•
  • write_settings
    		•
  • disable_keyguard
    		•
  • write_external_storage
    		•
  • mount_unmount_filesystems
    		•
  • read_logs
    		•
  • kill_background_processes
    		•
  • restart_packages
    		•
  • access_network_state
    		•
  • write_apn_settings
    		•
  • bluetooth
    		•
  • reboot
    		•
  • android.hardware.sensor.accelerometer
    		•
  • access_wifi_state
    		•
  • access_superuser
    		•

    This malicious module has a number of Receivers that are triggered when certain events occur. BootReceiver is activated each time the device boots up, this receiver checks and creates a database if its not created already for storing gathered information.


    Service is an Android app component that runs in the background to carry out long term tasks. Even if an app is not active on-screen, its services can be constantly running in the background. After BootReceiver ensures that the database is created successfully it starts a service called GodService which starts another service called TeamService. TeamService keeps an eye on incoming SMS messages and scans them for commands coming from the server. The commands are present in the AirService class, this Trojan has a roster of over 40 commands. Some interesting commands are as follows:

  • Upload Call History
    		•
  • Upload Album
    		•
  • Start Sound Recording
    		•
  • Restart Device
    		•

    Additionally it has few commands that are targeted towards specific messengers as well:

  • Upload WhatsApp Friends
    		•
  • Upload WhatsApp Messages
    		•
  • Upload QQ Friends
    		•
  • Upload QQ History
    		•

    Additionally the Trojan places hooks and constantly checks if InputType value for EditText operation for an app is 129. Value 129 has been set by Android to correspond to Password textbox, it saves details about the app for which this information belongs. Using this component the malicious module can spy on passwords entered by a user on his infected device.

    Overall this malicious Xposed module is aimed at gathering sensitive information from the victim’s device with in-built components as well as via commands received remotely from the attacker. But what ma
    kes this Xposed module extremely dangerous is that it signifies a new evolutionary step for Android Malwares by targeting the Xposed Framework. Xposed has been gaining huge popularity owing to the remarkable customization options it gives to a user. Currently Google scans and monitors the apps on Google Play for malicious content, but Google is not responsible for any security risk that may stem from Xposed modules. The only way a user can get any information about the reliability of Xposed modules is by checking more information about it on the popular Android forum XDA Developers.

    There has been a lot of discussion about the security issues that may be caused because of Xposed Framework. While we cannot deny the rich set of features that Xposed Framework introduces to someone who wants to customize their Android device, it is clear that the security risks introduced by it cannot be overlooked. Ultimately, the onus of security of an Android device in part rests on the user, not Rooting the device and downloading apps only from Google Play are potent ways to ensure a safe and secure Android experience.

    Dell SonicWALL Gateway Antivirus provides protection against this threat via the following signature:

    • GAV:AndroidOS.Malicious.Xposed (Trojan)

    Rango Antivirus FakeAV makes a surge (Oct 31, 2014)

    /in /by

    The Dell Sonicwall Threats Research team has observed a huge wave of spam that is spreading FakeAV software called Rango Antivirus 2014. FakeAV software was a big trend 2 years ago but had since died down following a rise of infostealer trojans and ransomware such as Cryptolocker. This FakeAV Trojan arrives as an email with an attachment masquerading as a court notice document.

    Infection cycle:

    The Trojan adds the following files to the filesystem:

    • %APPDATA%ipcsxnep.exe [Detected as GAV: Zbot.CH_4 (Trojan)]
    • %APPDATA%upoosook.exe [Detected as GAV: Inject.C_2 (Trojan)]

    The Trojan adds the following keys to the Windows registry:

    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun rqvobwcf “%APPDATA%ipcsxnep.exe”
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun xwpdlhad “%APPDATA%upoosook.exe”

    The Trojan runs an instance of svchost.exe and injects malicious code into it. The malicious code causes it to download an encrypted copy of ipcsxnep.exe from a remote webserver:

    The following strings where seen in the svchost memory space. Some of this system information is sent encrypted in the initial POST request:

    The Trojan then sleeps for a variable period of time. We observed a period of around 10-15 minutes before FakeAV dialogs were shown. The following is a sample of the dialogs that are shown to the user:

    As seen in the screenshots, the Trojan uses the usual FakeAV scare tactics to entice the user into paying for the software. The payment page shows 3 license packages:

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: Zbot.CH_3 (Trojan)
    • GAV: Zbot.CH_4 (Trojan)
    • GAV: Inject.C_2 (Trojan)